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1 . A method for use in a computer system including a plurality of devices, a shared 
resource shared by the plurality of devices, and a network that couples the plurality of 
devices to the shared resource, the method including acts of: 

(a) in response to one of the plurality of devices attempting to access the 
shared resource and representing itself to the shared resource as a first device, 
determining whether the one of the plurality of devices is attempting to access the shared 
resource through a physical connection through the network that is different than a first 
physical connection through the network used by the first device to access the shared 
resource; and 

(b) when it is determined in the act (a) that the one of the plurality of devices 
is attempting to access the shared resource through a connection through the network that 
is different than the first physical connection, denying the attempted access by the one of 
the plurality of devices to the shared resource. 

2. The method of claim 1 , wherein the attempted access by the one of the plurality 
of devices is an attempt to login to the shared resource, and wherein the act (b) includes 
an act of: 

when it is determined in the act (a) that the one of the plurality of devices is 
attempting to login to the shared resource through a physical connection through the 
network that is different than the first physical connection, denying the attempted login 
by the one of the plurality of devices to the shared resource. 

3 . The method of claim 1 , wherein the network is a Fibre Channel fabric, wherein 
the one of the plurality of devices and the first device each has an assigned world wide 
name (WWN) and a fabric identifier (fabric ID); 

wherein the method further includes a step of storing the WWN and the fabric ID 
of the first device in response to an access by the first device to the shared resource; and 

wherein the act (a) is performed in response to an access, that occurs after the 
access by the first device, by the one of the plurality of devices to the shared resource 
and includes acts of: 

examining a value of the WWN presented by the one of the plurality of 

devices to the shared resource to determine that the one of the plurality of devices 

is representing itself as being the first device; 
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comparing a value of the fabric ID presented by the one of the plurality of 
devices to the stored fabric ID for the first device; and 

determining that the one of the plurality of devices is attempting to access 
the shared resource through a physical connection through the network that is 
5 different than the first physical connection when the value of the fabric ID 

presented by the one of the plurality of devices mismatches the stored fabric ID 
for the first device. 

4. The method of claim 1, wherein the network employs a protocol wherein the one 
10 of the plurality of devices and the first device each has a first identifier that uniquely 

identifies the device in a manner that is independent of a physical configuration of the 
computer system and a second identifier that uniquely identifies the device in a manner 
that is dependent upon the physical configuration of the computer system; 

wherein the method further includes a step of storing the first and second 
1 5 identifiers of the first device in response to an access by the first device to the shared 
resource; and 

wherein the act (a) is performed in response to an access, that occurs after the 
access by the first device, by the one of the plurality of devices to the shared resource 
and includes acts of: 

20 examining a value of the first identifier presented by the one of the 

plurality of devices to the shared resource to determine that the one of the 
plurality of devices is representing itself to be the first device; 

comparing a value of the second identifier presented by the one of the 
plurality of devices to the stored value of the second identifier for the first device; 

25 and 

determining that the one of the plurality of devices is attempting to access 
the shared resource through a physical connection through the network that is 
different than the first physical connection when the value of the second identifier 
presented by the one of the plurality of devices mismatches the stored value of 
30 the second identifier for the first device. 

5. The method of claim 1, wherein the shared resource is a storage system; 
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wherein the act (a) includes an act of, in response to the one of the plurality of 
devices attempting to access the storage system and representing itself to the storage 
system as the first device, determining whether the one of the plurality of devices is 
attempting to access the storage system through a physical connection through the 
5 network that is different than a first physical connection through the network that the 
first device uses to access the storage system; and 

wherein the act (b) includes an act of, when it is determined in the act (a) that the 
one of the plurality of devices is attempting to access the storage system through a 
physical connection through the network that is different than the first physical 
10 connection, denying the attempted access by the one of the plurality of devices to the 
storage system. 

6. The method of claim 5, wherein the acts (a) and (b) are performed by the storage 
system. 

15 

7. The method of claim 5, wherein the acts (a) and (b) are performed outside of the 
storage system. 

8. The method of claim 7, wherein the acts (a) and (b) are performed by a device 
20 disposed between the storage system and the network. 

9. The method of claim 2, wherein the network is a Fibre Channel fabric, wherein 
the one of the plurality of devices and the first device each has an assigned world wide 
name (WWN) and a fabric identifier (fabric ID); 

25 wherein the method further includes a step of storing the WWN and the fabric ID 

of the first device in response to a login by the first device to the shared resource; and 

wherein the act (a) is performed in response to a login attempt, that occurs after 
the login by the first device, by the one of the plurality of devices to the shared resource 
and includes acts of: 

30 examining a value of the WWN presented by the one of the plurality of 

devices to the shared resource to determine that the one of the plurality of devices 
is representing itself as being the first device; 
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comparing a value of the fabric ID presented by the one of the plurality of 
devices to the stored fabric ID for the first device; and 

determining that the one of the plurality of devices is attempting to login 
to the shared resource through a physical connection through the network that is 
5 different than the first physical connection when the value of the fabric ID 

presented by the one of the plurality of devices mismatches the stored fabric ID 
for the first device. 

10 10. The method of claim 9, wherein the shared resource is a storage system; 

wherein the act (a) includes an act of, in response to the one of the plurality of 
devices attempting to login to the storage system and representing itself to the storage 
system as the first device, determining whether the one of the plurality of devices is 
attempting to login to the storage system through a physical connection through the 

1 5 network that is different than a first physical connection through the network used by the 
first device to access the storage system; and 

wherein the act (b) includes an act of, when it is determined in the act (a) that the 
one of the plurality of devices is attempting to login to the storage system through a 
physical connection through the network that is different than the first physical 

20 connection, denying the attempted login by the one of the plurality of devices to the 
storage system. 

1 1 . The method of claim 1 0, wherein the acts (a) and (b) are performed by the 
storage system. 

25 

12. The method of claim 10, wherein the acts (a) and (b) are performed by a device 
disposed between the storage system and the network. 

1 3 . The method of claim 2, wherein the network employs a protocol wherein the one 
30 of the plurality of devices and the first device each has a first identifier that uniquely 

identifies the device in a manner that is independent of a physical configuration of the 
computer system and a second identifier that uniquely identifies the device in a manner 
that is dependent upon the physical configuration of the computer system; 



-34- 

wherein the method further includes a step of storing the first and second 
identifiers of the first device in response to a login by the first device to the shared 
resource; and 

wherein the act (a) is performed in response to a login request, that occurs after 
5 the login by the first device, by the one of the plurality of devices to the shared resource 
and includes acts of: 

examining a value of the first identifier presented by the one of the 
plurality of devices to the shared resource to determine that the one of the 
plurality of devices is representing itself to be the first device; 
1 0 comparing a value of the second identifier presented by the one of the 

plurality of devices to the stored value of the second identifier for the first device; 
and 

determining that the one of the plurality of devices is attempting to login 
to the shared resource through a physical connection through the network that is 
1 5 different than the first physical connection when the value of the second identifier 

presented by the one of the plurality of devices mismatches the stored value of 
the second identifier for the first device. 

14. The method of claim 13, wherein the shared resource is a storage system; 

20 wherein the act (a) includes an act of, in response to the one of the plurality of 

devices attempting to login to the storage system and representing itself to the storage 
system as the first device, determining whether the one of the plurality of devices is 
attempting to login to the storage system through a physical connection through the 
network that is different than a first physical connection through the network used by the 

25 first device to access the storage system; and 

wherein the act (b) includes an act of, when it is determined in the act (a) that the 
one of the plurality of devices is attempting to login to the storage system through a 
physical connection through the network that is different than the first physical 
connection, denying the attempted login by the one of the plurality of devices to the 

30 storage system. 

15. The method of claim 1 4, wherein the acts (a) and (b) are performed by the 
storage system. 
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16. The method of claim 14, wherein the acts (a) and (b) are performed by a device 
disposed between the storage system and the network. 

5 17. The method of claim 3, wherein the shared resource is a storage system; 

wherein the act (a) includes an act of, in response to the one of the plurality of 
devices attempting to access the storage system and representing itself to the storage 
system as a first device, determining whether the one of the plurality of devices is 
attempting to access the storage system through a physical connection through the 
1 0 network that is different than a first physical connection through the network used by the 
first device to access the storage system; and 

wherein the act (b) includes an act of, when it is determined in the act (a) that the 
one of the plurality of devices is attempting to access the storage system through a 
physical connection through the network that is different than the first physical 
1 5 connection, denying the attempted access by the one of the plurality of devices to the 
storage system. 

1 8. The method of claim 17, wherein the acts (a) and (b) are performed by the 
storage system. 

20 

1 9. The method of claim 1 7, wherein the acts (a) and (b) are performed by a device 
disposed between the storage system and the network. 

20. The method of claim 4, wherein the shared resource is a storage system; 

25 wherein the act (a) includes an act of, in response to the one of the plurality of 

devices attempting to access the storage system and representing itself to the storage 
system as a first device, determining whether the one of the plurality of devices is 
attempting to access the storage system through a physical connection through the 
network that is different than a first physical connection through the network used by the 

30 first device to access the storage system; and 

wherein the act (b) includes an act of, when it is determined in the act (a) that the 
one of the plurality of devices is attempting to access the storage system through a 
physical connection through the network that is different than the first physical 
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connection, denying the attempted access by the one of the plurality of devices to the 
storage system. 

21 . The method of claim 20, wherein the acts (a) and (b) are performed by the 
5 storage system. 

22. The method of claim 20, wherein the acts (a) and (b) are performed by a device 
disposed between the storage system and the network. 

10 23. A method for use in a computer system including a plurality of devices, a storage 
system shared by the plurality of devices, and a network that couples the plurality of 
devices to the storage system, wherein the network employs a protocol wherein each of 
the plurality of devices has a first identifier that uniquely identifies the device in a 
manner that is independent of a physical configuration of the computer system and a 

1 5 second identifier that uniquely identifies the device in a manner that is dependent upon 
the physical configuration of the computer system, the method including acts of: 

(a) in response to a login of a first device of the plurality of devices to the 
storage system, storing the first and second identifiers of the first device; 

(b) in response to an attempt, subsequent to the act (a), by one of the plurality 
20 of devices to login to the storage system while representing itself to the storage system as 

the first device, determining whether the one of the plurality of devices is attempting to 
login to the storage system through a physical connection through the network that is 
different than a first physical connection through the network used by the first device to 
login to the storage system in the act (a), including acts of; 
25 (bl) examining a value of the first identifier presented by the one of the 

plurality of devices to the storage system to determine that the one of the plurality 
of devices is representing itself to be the first device; 

(b2) comparing a value of the second identifier presented by the one of 
the plurality of devices to the stored value of the second identifier for the first 
30 device; and 

(b3) determining that the one of the plurality of devices is attempting to 
login to the storage system through a physical connection through the network 
that is different than the first physical connection when the value of the second 
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identifier presented by the one of the plurality of devices mismatches the stored 

value of the second identifier for the first device; and 

(c) when it is determined in the act (b3) that the one of the plurality of 

devices is attempting to login to the storage system through a physical connection 
5 through the network that is different than the first physical connection, denying the 

attempted login by the one of the plurality of devices to the storage system. 

24. The method of claim 23, wherein the network is a Fibre Channel fabric, wherein 
the first identifier is a world wide name (WWN) and the second identifier is a fabric 
10 identifier (fabric ID); 

wherein the act (a) includes an act of, in response to a login of first device to the 
storage system, storing the WWN and the fabric ID of the first device; 

wherein the act (bl) includes an act of examining a value of the WWN presented 
by the one of the plurality of devices to determine that the one of the plurality of devices 
1 5 is representing itself to be the first device; 

wherein the act (b2) includes an act of comparing a value of the fabric ID 
presented by the one of the plurality of devices to the stored value of the fabric ID for the 
first device; and 

wherein the act (b3) includes an act of determining that the one of the plurality of 
20 devices is attempting to login to the storage system through a physical connection 

through the network that is different than the first physical connection when the value of 
the fabric ID presented by the one of the plurality of devices mismatches the stored value 
of the fabric ID for the first device. 

25 25. The method of claim 23, wherein the acts (a) and (b) are performed by the 
storage system. 

26. The method of claim 23, wherein the acts (a) and (b) are performed by a device 
disposed between the storage system and the network. 

30 

27. A method for use in a computer system including a network and a plurality of 
devices coupled to the network, the network employing a protocol wherein each of the 
plurality of devices has a first identifier that uniquely identifies the device in a manner 
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that is independent of a physical configuration of the computer system and a second 
identifier that uniquely identifies the device in a manner that is dependent upon the 
physical configuration of the computer system, the network including at least one 
network component that assigns a unique value for the second identifier to each of the 
plurality of devices that is logged into the network, the method including acts of: 

(a) in response to one of the plurality of devices attempting to login to the 
network and representing itself to the network as a first device, determining whether the 
one of the plurality of devices is attempting to login to the network through a port that is 
different than a first port of the network through which the first device previously logged 
into the network; and 

(b) when it is determined in the act (a) that the one of the plurality of devices 
is attempting to access the network through a port that is different than the first port, 
denying the attempted login by the one of the plurality of devices to the network. 

28. The method of claim 27, wherein the at least one network component includes at 
least one switch having a first switch port that forms the first port through which the first 
device previously logged into the network; and 

wherein the act (a) includes an act of, in response to the one of the plurality of 
devices attempting to login to the network and representing itself to the network as the 
first device, determining whether the one of the plurality of devices is attempting to login 
to the network through a port different than the first switch port. 

29. The method of claim 27, further including an act of preventing at least one of the 
plurality of devices from transmitting information through the network while 
representing itself with a value for the second identifier that differs from its value 
assigned by the at least one network component. 

30. The method of claim 27, wherein the network is a Fibre Channel fabric, wherein 
the first identifier is a world wide name (WWN) and the second identifier is a fabric 
identifier (fabric ID); 

wherein the method further includes an act of, in response to the previous login of 
the first device into the network, storing the WWN and the fabric ID of the first device; 
and 
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wherein the act (a) includes acts of; 

examining a value of the WWN presented by the one of the plurality of 
devices during the attempted login to determine that the one of the plurality of 
devices is representing itself to be the first device; 
5 comparing a value of the fabric ID presented by the one of the plurality of 

devices to the stored value of the fabric ID for the first device; and 

determining that the one of the plurality of devices is attempting to access 
the network through a port that is different than the first port when the value of 
the fabric ID presented by the one of the plurality of devices mismatches the 
1 0 stored value of the fabric ID for the first device. 

3 1 . The method of claim 27, wherein the method further includes an act of, in 
response to the previous login of the first device into the network, storing the first and 
second identifiers of the first device; and 

1 5 wherein the act (a) includes acts of; 

examining a value of the first identifier presented by the one of the 
plurality of devices during the attempted login to determine that the one of the 
plurality of devices is representing itself to be the first device; 

comparing a value of the second identifier presented by the one of the 
20 plurality of devices to the stored value of the second identifier for the first device; 

and 

determining that the one of the plurality of devices is attempting to access 
the network through a port different than the first port when the value of the 
second identifier presented by the one of the plurality of devices mismatches the 
25 stored value of the second identifier for the first device. 

32. An apparatus for use in a computer system including a plurality of devices, a 
shared resource shared by the plurality of devices, and a network that couples the 
plurality of devices to the shared resource, the apparatus including: 

30 an input to be coupled to the network; and 

at least one controller, coupled to the input, that is responsive to one of the 
plurality of devices attempting to access the shared resource while representing itself to 
the shared resource as a first device, to determine whether the one of the plurality of 
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devices is attempting to access the shared resource through a physical connection 
through the network that is different than a first physical connection through the network 
used by the first device to access the shared resource, and to deny the attempted access 
by the one of the plurality of devices to the shared resource when it is determined that the 
5 one of the plurality of devices is attempting to access the shared resource through a 
physical connection through the network that is different than the first physical 
connection. 



33. The apparatus of claim 32, wherein the attempted access by the one of the 
10 plurality of devices is an attempt to login to the shared resource, and wherein the at least 
one controller denies the attempted login when it is determined that the one of the 
plurality of devices is attempting to login to the shared resource through a physical 
connection through the network that is different than the first physical connection. 

15 34. The apparatus of claim 32, wherein the network is a Fibre Channel fabric, 
wherein the one of the plurality of devices and the first device each has an assigned 
world wide name (WWN) and a fabric identifier (fabric ID); 

wherein the apparatus further includes a storage device coupled to the at least one 
controller; 

20 wherein the at least one controller stores the WWN and the fabric ID of the first 

device in the storage device in response to an access by the first device to the shared 
resource; and 

wherein when the one of the plurality of devices attempts to access the shared 
resource after the access by the first device, the at least one controller: 
25 examines a value of the WWN presented by the one of the plurality of 

devices to the shared resource to determine that the one of the plurality of devices 

is representing itself as being the first device; 

compares a value of the fabric ID presented by the one of the plurality of 

devices to the stored fabric ID for the first device; and 
30 determines that the one of the plurality of devices is attempting to access 

the shared resource through a physical connection through the network that is 

different than the first physical connection when the value of the fabric ID 
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presented by the one of the plurality of devices mismatches the stored fabric ID 
for the first device. 

3 5 . The apparatus of claim 32, wherein the network employs a protocol wherein the 
5 one of the plurality of devices and the first device each has a first identifier that uniquely 
identifies the device in a manner that is independent of a physical configuration of the 
computer system and a second identifier that uniquely identifies the device in a manner 
that is dependent upon the physical configuration of the computer system; 

wherein the apparatus further includes a storage device coupled to the at least one 
10 controller; 

wherein the at least one controller stores the first and second identifiers of the 
first device in the storage device in response to an access by the first device to the shared 
resource; and 

wherein when the one of the plurality of devices attempts to access the shared 
15 resource after the access by the first device, the at least one controller: 

examines a value of the first identifier presented by the one of the 
plurality of devices to the shared resource to determine that the one of the 
plurality of devices is representing itself to be the first device; 

compares a value of the second identifier presented by the one of the 
20 plurality of devices to the stored value of the second identifier for the first device; 

and 

determines that the one of the plurality of devices is attempting to access 
the shared resource through a physical connection through the network that is 
different than the first physical connection when the value of the second identifier 
25 presented by the one of the plurality of devices mismatches the stored value of 

the second identifier for the first device. 

36. The apparatus of claim 32, wherein the shared resource is a storage system; 

wherein in response to the one of the plurality of devices attempting to access the 
30 storage system and representing itself to the storage system as a first device, the at least 
one controller determines whether the one of the plurality of devices is attempting to 
access the storage system through a physical connection through the network that is 
different than the first physical connection; and 
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wherein when it is determined that the one of the plurality of devices is 
attempting to access the storage system through a physical connection through the 
network that is different than the first physical connection, the at least one controller 
denies the attempted access by the one of the plurality of devices to the storage system. 

5 

37. The apparatus of claim 36, in combination with the storage system, wherein the at 
least one controller and the input each is disposed within the storage system. 

38. The apparatus of claim 36, wherein the at least one controller and the input each 
10 is disposed outside of the storage system. 

39. The apparatus of claim 38, wherein the apparatus includes a filter unit that 
includes the input and the at least one controller and is adapted to be disposed between 
the storage system and the network. 

15 

40. The apparatus of claim 33, wherein the network is a Fibre Channel fabric, 
wherein the one of the plurality of devices and the first device each has an assigned 
world wide name (WWN) and a fabric identifier (fabric ID); 

wherein the at least one controller stores the WWN and the fabric ID of the first 
20 device in response to a login by the first device to the shared resource; and 

wherein when the one of the plurality of devices attempts to login to the shared 
resource after the login by the first device, the at least one controller: 

examines a value of the WWN presented by the one of the plurality of 
devices to the shared resource to determine that the one of the plurality of devices 
25 is representing itself as being the first device; 

compares a value of the fabric ID presented by the one of the plurality of 
devices to the stored fabric ID for the first device; and 

determines that the one of the plurality of devices is attempting to login to 
the shared resource through a physical connection through the network that is 
30 different than the first physical connection when the value of the fabric ID 

presented by the one of the plurality of devices mismatches the stored fabric ID 
for the first device. 
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4 1 . The apparatus of claim 40, wherein the shared resource is a storage system; 
wherein in response to the one of the plurality of devices attempting to login to 

the storage system and representing itself to the storage system as a first device, the at 
least one controller determines whether the one of the plurality of devices is attempting 
5 to login to the storage system through a physical connection through the network that is 
different than the first physical connection; and 

wherein when it is determined that the one of the plurality of devices is 
attempting to login to the storage system through a physical connection through the 
network that is different than the first physical connection, the at least one controller 
1 0 denies the attempted login by the one of the plurality of devices to the storage system. 

42. The apparatus of claim 41, in combination with the storage system, wherein the at 
least one controller and the input each is disposed within the storage system. 

15 43 . The apparatus of claim 4 1 , wherein the apparatus includes a filter unit that 

includes the input and the at least one controller and is adapted to be disposed between 
the storage system and the network. 

44. The apparatus of claim 33, wherein the network employs a protocol wherein the 
20 one of the plurality of devices and the first device each has a first identifier that uniquely 
identifies the device in a manner that is independent of a physical configuration of the 
computer system and a second identifier that uniquely identifies the device in a manner 
that is dependent upon the physical configuration of the computer system; 

wherein the apparatus further includes a storage device coupled to the at least one 
25 controller; 

wherein the at least one controller stores the first and second identifiers of the 
first device in the storage device in response to a login by the first device to the shared 
resource; and 

wherein when the one of the plurality of devices attempts to login to the shared 
30 resource after the login by the first device, the at least one controller: 

examines a value of the first identifier presented by the one of the 
plurality of devices to the shared resource to determine that the one of the 
plurality of devices is representing itself to be the first device; 



-44- 



compares a value of the second identifier presented by the one of the 
plurality of devices to the stored value of the second identifier for the first device; 
and 

determines that the one of the plurality of devices is attempting to login to 
5 the shared resource through a physical connection through the network that is 

different than the first physical connection when the value of the second identifier 
presented by the one of the plurality of devices mismatches the stored value of 
the second identifier for the first device. 

10 45 . The apparatus of claim 44, wherein the shared resource is a storage system; 

wherein in response to the one of the plurality of devices attempting to login to 
the storage system and representing itself to the storage system as a first device, the at 
least one controller determines whether the one of the plurality of devices is attempting 
to login to the storage system through a physical connection through the network that is 

1 5 different than the first physical connection; and 

wherein when it is determined that the one of the plurality of devices is 
attempting to login to the storage system through a physical connection through the 
network that is different than the first physical connection, the at least one controller 
denies the attempted login by the one of the plurality of devices to the storage system. 

20 

46. The apparatus of claim 45, in combination with the storage system, wherein the at 
least one controller and the input each is disposed within the storage system. 

47. The apparatus of claim 45, wherein the apparatus includes a filter unit that 

25 includes the input and the at least one controller and is adapted to be disposed between 
the storage system and the network. 

48. The apparatus of claim 34, wherein the shared resource is a storage system; 
wherein in response to the one of the plurality of devices attempting to access the 

30 storage system and representing itself to the storage system as a first device, the at least 
one controller determines whether the one of the plurality of devices is attempting to 
access the storage system through a physical connection through the network that is 
different than the first physical connection; and 
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wherein when it is determined that the one of the plurality of devices is 
attempting to access the storage system through a physical connection through the 
network that is different than the first physical connection, the at least one controller 
denies the attempted access by the one of the plurality of devices to the storage system. 

5 

49. The apparatus of claim 48, in combination with the storage system, wherein the at 
least one controller and the input each is disposed within the storage system. 

50. The apparatus of claim 48, wherein the apparatus includes a filter unit that 

10 includes the input and the at least one controller and is adapted to be disposed between 
the storage system and the network. 

51 . The apparatus of claim 35, wherein the shared resource is a storage system; 
wherein in response to the one of the plurality of devices attempting to access the 

15 storage system and representing itself to the storage system as a first device, the at least 
one controller determines whether the one of the plurality of devices is attempting to 
access the storage system through a physical connection through the network that is 
different than the first physical connection; and 

wherein when it is determined that the one of the plurality of devices is 

20 attempting to access the storage system through a physical connection through the 
network that is different than the first physical connection, the at least one controller 
denies the attempted access by the one of the plurality of devices to the storage system. 

52. The apparatus of claim 5 1 , in combination with the storage system, wherein the at 
25 least one controller and the input each is disposed within the storage system. 

53 . The apparatus of claim 5 1 , wherein the apparatus includes a filter unit that 
includes the input and the at least one controller and is adapted to be disposed between 
the storage system and the network. 

30 

54. The apparatus of claim 32, wherein the at least one controller includes: 
means, responsive to the one of the plurality of devices attempting to access the 

shared resource while representing itself to the shared resource as a first device, for 
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determining whether the one of the plurality of devices is attempting to access the shared 
resource through a physical connection through the network that is different than a first 
physical connection through the network used by the first device to access the shared 
resource; and 

5 means for denying the attempted access by the one of the plurality of devices to 

the shared resource when it is determined that the one of the plurality of devices is 
attempting to access the shared resource through a physical connection through the 
network that is different than the first physical connection. 

10 55. The apparatus of claim 33 , wherein the shared resource is a storage system; 

wherein in response to the one of the plurality of devices attempting to login to 
the storage system and representing itself to the storage system as a first device, the at 
least one controller determines whether the one of the plurality of devices is attempting 
to login to the storage system through a physical connection through the network that is 

1 5 different than the first physical connection; and 

wherein when it is determined that the one of the plurality of devices is 
attempting to login to the storage system through a physical connection through the 
network that is different than the first physical connection, the at least one controller 
denies the attempted login by the one of the plurality of devices to the storage system. 

20 

56. The method of claim 2, wherein the shared resource is a storage system; 

wherein the act (a) includes an act of, in response to the one of the plurality of 

devices attempting to login to the storage system and representing itself to the storage 

system as the first device, determining whether the one of the plurality of devices is 
25 attempting to login to the storage system through a physical connection through the 

network that is different than a first physical connection through the network that the 

first device uses to login to the storage system; and 

wherein the act (b) includes an act of, when it is determined in the act (a) that the 

one of the plurality of devices is attempting to login to the storage system through a 
30 physical connection through the network that is different than the first physical 

connection, denying the attempted login by the one of the plurality of devices to the 

storage system. 
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57. An apparatus for use in a computer system including a plurality of devices, a 
storage system shared by the plurality of devices, and a network that couples the plurality 
of devices to the storage system, wherein the network employs a protocol wherein each 
of the plurality of devices has a first identifier that uniquely identifies the device in a 
5 manner that is independent of a physical configuration of the computer system and a 
second identifier that uniquely identifies the device in a manner that is dependent upon 
the physical configuration of the computer system, the apparatus comprising: 

an input to be coupled to the network; 

a storage device; and 

10 at least one controller, coupled to the network and the storage device, that is 

responsive to a login of a first device of the plurality of devices to the storage system to 
store the first and second identifiers of the first device in the storage device; 

the at least one controller further being responsive to an attempt, after the login 
by the first device, by one of the plurality of devices to login to the storage system, while 
15 representing itself to the storage system as the first device, to; 

examine a value of the first identifier presented by the one of the plurality 
of devices to the storage system to determine that the one of the plurality of 
devices is representing itself to be the first device; 

compare a value of the second identifier presented by the one of the 
20 plurality of devices to the stored value of the second identifier for the first device; 

determine that the one of the plurality of devices is attempting to access 
the storage system through a physical connection through the network that is 
different than a first physical connection used by the first device in logging into 
the storage system when the value of the second identifier presented by the one of 
25 the plurality of devices mismatches the stored value of the second identifier for 

the first device; and 

deny the attempted login by the one of the plurality of devices to the 
storage system when it is determined that the one of the plurality of devices is 
attempting to login to the storage system through a physical connection through 
30 the network that is different than the first physical connection. 
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58. The apparatus of claim 57, wherein the network is a Fibre Channel fabric, 
wherein the first identifier is a world wide name (WWN) and the second identifier is a 
fabric identifier (fabric ID); 

wherein the at least one controller stores the WWN and the fabric ID of the first 
5 device in the storage device in response to the login by the first device to the storage 
system; and 

wherein when the one of the plurality of devices attempts to login to the storage 
system after the login by the first device, the at least one controller: 

examines a value of the WWN presented by the one of the plurality of 
1 0 devices to the storage system to determine that the one of the plurality of devices 

is representing itself as being the first device; 

compares a value of the fabric ID presented by the one of the plurality of 
devices to the stored fabric ID for the first device; and 

determines that the one of the plurality of devices is attempting to access 
1 5 the storage system through a physical connection through the network that is 

different than the first physical connection when the value of the fabric ID 
presented by the one of the plurality of devices mismatches the stored fabric ID 
for the first device. 

20 59. The apparatus of claim 57, in combination with the storage system, wherein the at 
least one controller, the storage device and the input each is disposed within the storage 
system. 

60. The apparatus of claim 57, further including a filter unit that includes the input 
25 and the at least one controller and is adapted to be disposed between the storage system 

and the network. 

61. The apparatus of claim 57, wherein the at least one controller includes: 
means, responsive to the login of a first device of the plurality of devices to the 

30 storage system, to store the first and second identifiers of the first device in the storage 
device; 

means, responsive to an attempt, after the login by the first device, by one of the 
plurality of devices to login to the storage system, while representing itself to the storage 
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system as the first device, for examining a value of the first identifier presented by the 
one of the plurality of devices to the storage system to determine that the one of the 
plurality of devices is representing itself to be the first device and for comparing a value 
of the second identifier presented by the one of the plurality of devices to the stored 
5 value of the second identifier for the first device; 

means for determining that the one of the plurality of devices is attempting to 
access the storage system through a physical connection through the network that is 
different than a first physical connection used by the first device in logging into the 
storage system when the value of the second identifier presented by the one of the 
10 plurality of devices mismatches the stored value of the second identifier for the first 
device; and 

means for denying the attempted login by the one of the plurality of devices to 
the storage system when it is determined that the one of the plurality of devices is 
attempting to login to the storage system through a physical connection through the 
1 5 network that is different than the first physical connection. 

62. An apparatus for use in a computer system including a network and a plurality of 
devices coupled to the network, the network employing a protocol wherein each of the 
plurality of devices has a first identifier that uniquely identifies the device in a manner 

20 that is independent of a physical configuration of the computer system and a second 
identifier that uniquely identifies the device in a manner that is dependent upon the 
physical configuration of the computer system, the network including at least one 
network component that assigns a unique value for the second identifier to each of the 
plurality of devices that is logged into the network, the apparatus comprising: 

25 at least one input to be coupled to at least one of the plurality of devices; and 

at least one controller that is responsive to one of the plurality of devices 
attempting to login to the network and representing itself to the network as a first device, 
to determine whether the one of the plurality of devices is attempting to login to the 
network through a port that is different than a first port of the network through which the 

30 first device previously logged into the network, and to deny the attempted login by the 
one of the plurality of devices to the network when the one of the plurality of devices is 
attempting to login to the network through a port that is different than the first port. 
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63. The apparatus of claim 62, in combination with a network switch to form at least 
a portion of the network, wherein the at least one controller is disposed within the 
switch. 

5 64. The apparatus of claim 62, wherein the at least one controller prevents at least 
one of the plurality of devices from transmitting information through the network while 
representing itself with a value for the second identifier that differs from its value 
assigned by the at least one network component. 

65. The apparatus of claim 62, wherein the network is a Fibre Channel fabric, 
wherein the first identifier is a world wide name (WWN) and the second identifier is a 
fabric identifier (fabric ID); 

wherein the apparatus further includes a storage device coupled to the at least one 
controller; 

wherein the at least one controller stores the WWN and the fabric ID of the first 
device in response to the login of the first device into the network; and 

wherein when the one of the plurality of devices attempts to login to the shared 
resource after the login by the first device, the at least one controller: 

examines a value of the WWN presented by the one of the plurality of 
devices during the attempted login to determine that the one of the plurality of 
devices is representing itself to be the first device; 

compares a value of the fabric ID presented by the one of the plurality of 
devices to the stored value of the fabric ID for the first device; and 

determines that the one of the plurality of devices is attempting to access 
the network through a port that is different than the first port when the value of 
the fabric ID presented by the one of the plurality of devices mismatches the 
stored value of the fabric ID for the first device. 

66. The apparatus of claim 62, wherein the apparatus further includes a storage 
30 device coupled to the at least one controller; 

wherein the at least one controller stores the first and second identifiers of the 
first device in response to the login of the first device into the network; and 
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wherein when the one of the plurality of devices attempts to login to the shared 
resource after the login by the first device, the at least one controller: 

examines a value of the first identifier presented by the one of the 
plurality of devices during the attempted login to determine that the one of the 
plurality of devices is representing itself to be the first device; 

compares a value of the second identifier presented by the one of the 
plurality of devices to the stored value of the second identifier for the first device; 
and 

determines that the one of the plurality of devices is attempting to access 
the network through a port different than the first port when the value of the 
second identifier presented by the one of the plurality of devices mismatches the 
stored value of the second identifier for the first device. 



